Executive Summary
| Informations | |||
|---|---|---|---|
| Name | CVE-2011-4107 | First vendor Publication | 2011-11-17 |
| Vendor | Cve | Last vendor Modification | 2024-11-21 |
Security-Database Scoring CVSS v3
| Cvss vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | |||
|---|---|---|---|
| Overall CVSS Score | 6.5 | ||
| Base Score | 6.5 | Environmental Score | 6.5 |
| impact SubScore | 3.6 | Temporal Score | 6.5 |
| Exploitabality Sub Score | 2.8 | ||
| Attack Vector | Network | Attack Complexity | Low |
| Privileges Required | Low | User Interaction | None |
| Scope | Unchanged | Confidentiality Impact | High |
| Integrity Impact | None | Availability Impact | None |
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:N/C:P/I:N/A:N) | |||
|---|---|---|---|
| Cvss Base Score | 4.3 | Attack Range | Network |
| Cvss Impact Score | 2.9 | Attack Complexity | Medium |
| Cvss Expoit Score | 8.6 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack. |
Original Source
| Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4107 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-611 | Information Leak Through XML External Entity File Disclosure |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:15400 | |||
| Oval ID: | oval:org.mitre.oval:def:15400 | ||
| Title: | DSA-2391-1 phpmyadmin -- several | ||
| Description: | Several vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2011-4107 The XML import plugin allowed a remote attacker to read arbitrary files via XML data containing external entity references. CVE-2011-1940, CVE-2011-3181 Cross site scripting was possible in the table tracking feature, allowing a remote attacker to inject arbitrary web script or HTML. The oldstable distribution is not affected by these problems. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-2391-1 CVE-2011-1940 CVE-2011-3181 CVE-2011-4107 | Version: | 7 |
| Platform(s): | Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | phpmyadmin |
| Definition Synopsis: | |||
CPE : Common Platform Enumeration
ExploitDB Exploits
| id | Description |
|---|---|
| 2012-01-14 | phpMyAdmin 3.3.X and 3.4.X - Local File Inclusion via XXE Injection |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2012-03-19 | Name : Fedora Update for phpMyAdmin FEDORA-2011-15841 File : nvt/gb_fedora_2011_15841_phpMyAdmin_fc16.nasl |
| 2012-02-12 | Name : Gentoo Security Advisory GLSA 201201-01 (phpMyAdmin) File : nvt/glsa_201201_01.nasl |
| 2012-02-11 | Name : Debian Security Advisory DSA 2391-1 (phpmyadmin) File : nvt/deb_2391_1.nasl |
| 2012-01-09 | Name : Mandriva Update for phpmyadmin MDVSA-2011:198 (phpmyadmin) File : nvt/gb_mandriva_MDVSA_2011_198.nasl |
| 2011-11-25 | Name : Fedora Update for phpMyAdmin FEDORA-2011-15831 File : nvt/gb_fedora_2011_15831_phpMyAdmin_fc14.nasl |
| 2011-11-25 | Name : Fedora Update for phpMyAdmin FEDORA-2011-15846 File : nvt/gb_fedora_2011_15846_phpMyAdmin_fc15.nasl |
| 0000-00-00 | Name : FreeBSD Ports: phpMyAdmin File : nvt/freebsd_phpMyAdmin29.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 76798 | phpMyadmin libraries/import/xml.php XML Data Entity References Parsing Remote... |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2011-14.nasl - Type : ACT_GATHER_INFO |
| 2012-05-21 | Name : The remote web server hosts a PHP application that is affected by an informat... File : phpmyadmin_pmasa_2011_17.nasl - Type : ACT_GATHER_INFO |
| 2012-01-23 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2391.nasl - Type : ACT_GATHER_INFO |
| 2012-01-05 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201201-01.nasl - Type : ACT_GATHER_INFO |
| 2011-11-23 | Name : The remote Fedora host is missing a security update. File : fedora_2011-15831.nasl - Type : ACT_GATHER_INFO |
| 2011-11-23 | Name : The remote Fedora host is missing a security update. File : fedora_2011-15841.nasl - Type : ACT_GATHER_INFO |
| 2011-11-23 | Name : The remote Fedora host is missing a security update. File : fedora_2011-15846.nasl - Type : ACT_GATHER_INFO |
| 2011-11-14 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_1f6ee7080d2211e1b5bd14dae938ec40.nasl - Type : ACT_GATHER_INFO |
Sources (Detail)
Alert History
| Date | Informations |
|---|---|
| 2024-11-28 23:03:32 |
|
| 2024-11-28 12:27:39 |
|
| 2024-02-09 09:27:54 |
|
| 2021-05-04 12:17:47 |
|
| 2021-04-22 01:21:04 |
|
| 2020-05-23 00:32:08 |
|
| 2017-08-29 09:23:35 |
|
| 2016-06-28 18:53:08 |
|
| 2016-04-26 21:12:15 |
|
| 2014-06-14 13:31:54 |
|
| 2014-02-17 11:05:58 |
|
| 2013-05-10 23:10:04 |
|
